-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Next Generation Security Technologies
http://www.ngsec.com
Security Advisory
Title: NtRegmon, local system denial of service.
ID: NGSEC-2004-7
Application: NtRegmon (http://www.sysinternals.com/ntw2k/source/regmon.shtml)
Date: 14/Aug/2004
Status: Patched version available (6.12).
Platform(s): Windows OSs.
Author: Fermín J. Serna
Location: http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt
Overview:
- ---------
NtRegmon is a Registry monitoring utility that will show you which applications
are accessing your Registry, which keys they are accessing, and the Registry
data that they are reading and writing - all in real-time.
For its task NtRegmon hooks some kernel mode funtions (Registry functions) for
its logging purposes.
Regmon suffer from an unvalidated pointer referencing in some of this kernel
hooks.
While any privileged user is using NtRegmon, any local and unauthorized user
can crash the system.
Technical description:
- ----------------------
NtRegmon is a Registry monitoring utility that will show you which applications
are accessing your Registry, which keys they are accessing, and the Registry
data that they are reading and writing - all in real-time.
For its task NtRegmon hooks some kernel mode funtions (Registry functions) for
its logging purposes.
Regmon suffers from some unvalidated pointer referencing in some of this kernel
hooks. In example NtRegmon hooks ZwSetQueryValue declared as follows:
NTSTATUS ZwSetQueryValue(DWORD KeyHandle, DWORD ValueName, DWORD TitleIndex,
DWORD Type, DWORD Data, DWORD DataSize);
The problem exists because NtRegmon does not properly check if some argument
pointers are valid or not. While any privileged user is using Regmon, any local
and unauthorized user can crash the system.
Sample exploitation cand be found:
http://www.ngsec.com/downloads/exploits/ntregmon-dos.c
Recommendations:
- ----------------
Upgrade to NtRegmon version 6.12.
- --
More security advisories at: http://www.ngsec.com/ngresearch/ngadvisories/
PGP Key: http://www.ngsec.com/pgp/labs.asc
Copyright(c) 2002-2004 NGSEC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBLFeCKrwoKcQl8Y4RAjxYAKCYw9QhDRCxnJSXd2HFt9Zp/pRgYwCfQynV
/bdl2s6PNLcuP6kXn5pRSlg=
=P5Yq
-----END PGP SIGNATURE-----